|
|
|
|
.. Copyright 2016 OpenMarket Ltd
|
|
|
|
|
..
|
|
|
|
|
.. Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
.. you may not use this file except in compliance with the License.
|
|
|
|
|
.. You may obtain a copy of the License at
|
|
|
|
|
..
|
|
|
|
|
.. http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
..
|
|
|
|
|
.. Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
.. distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
.. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
.. See the License for the specific language governing permissions and
|
|
|
|
|
.. limitations under the License.
|
|
|
|
|
|
|
|
|
|
Room History Visibility
|
|
|
|
|
=======================
|
|
|
|
|
|
|
|
|
|
.. _module:history-visibility:
|
|
|
|
|
|
|
|
|
|
This module adds support for controlling the visibility of previous events in a
|
|
|
|
|
room.
|
|
|
|
|
|
|
|
|
|
In all cases except ``world_readable``, a user needs to join a room to view events in that room. Once they
|
|
|
|
|
have joined a room, they will gain access to a subset of events in the room. How
|
|
|
|
|
this subset is chosen is controlled by the ``m.room.history_visibility`` event
|
|
|
|
|
outlined below. After a user has left a room, they may see any events which they
|
|
|
|
|
were allowed to see before they left the room, but no events received after they
|
|
|
|
|
left.
|
|
|
|
|
|
|
|
|
|
The four options for the ``m.room.history_visibility`` event are:
|
|
|
|
|
|
|
|
|
|
- ``world_readable`` - All events while this is the
|
|
|
|
|
``m.room.history_visibility`` value may be shared by any participating
|
|
|
|
|
homeserver with anyone, regardless of whether they have ever joined the room.
|
|
|
|
|
- ``shared`` - Previous events are always accessible to newly joined members. All
|
|
|
|
|
events in the room are accessible, even those sent when the member was not a part
|
|
|
|
|
of the room.
|
|
|
|
|
- ``invited`` - Events are accessible to newly joined members from the point
|
|
|
|
|
they were invited onwards. Events stop being accessible when the member's state
|
|
|
|
|
changes to something other than ``invite`` or ``join``.
|
|
|
|
|
- ``joined`` - Events are accessible to newly joined members from the point
|
|
|
|
|
they joined the room onwards. Events stop being accessible when the member's state
|
|
|
|
|
changes to something other than ``join``.
|
|
|
|
|
|
|
|
|
|
.. WARNING::
|
|
|
|
|
These options are applied at the point an event is *sent*. Checks are
|
|
|
|
|
performed with the state of the ``m.room.history_visibility`` event when the
|
|
|
|
|
event in question is added to the DAG. This means clients cannot
|
|
|
|
|
retrospectively choose to show or hide history to new users if the setting at
|
|
|
|
|
that time was more restrictive.
|
|
|
|
|
|
|
|
|
|
Events
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
{{m_room_history_visibility_event}}
|
|
|
|
|
|
|
|
|
|
Client behaviour
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
Clients that implement this module MUST present to the user the possible options
|
|
|
|
|
for setting history visibility when creating a room.
|
|
|
|
|
|
|
|
|
|
Clients may want to display a notice that their events may be read by non-joined
|
|
|
|
|
people if the value is set to ``world_readable``.
|
|
|
|
|
|
|
|
|
|
Server behaviour
|
|
|
|
|
----------------
|
|
|
|
|
|
|
|
|
|
By default if no ``history_visibility`` is set, or if the value is not understood, the visibility is assumed to be
|
|
|
|
|
``shared``. The rules governing whether a user is allowed to see an event depend
|
|
|
|
|
on the state of the room *at that event*.
|
|
|
|
|
|
|
|
|
|
1. If the ``history_visibility`` was set to ``world_readable``, allow.
|
|
|
|
|
2. If the user's ``membership`` was ``join``, allow.
|
|
|
|
|
3. If ``history_visibility`` was set to ``shared``, and the user joined the
|
|
|
|
|
room at any point after the event was sent, allow.
|
|
|
|
|
4. If the user's ``membership`` was ``invite``, and the ``history_visibility``
|
|
|
|
|
was set to ``invited``, allow.
|
|
|
|
|
5. Otherwise, deny.
|
|
|
|
|
|
|
|
|
|
For ``m.room.history_visibility`` events themselves, the user should be allowed
|
|
|
|
|
to see the event if the ``history_visibility`` before *or* after the event
|
|
|
|
|
would allow them to see it. (For example, a user should be able to see
|
|
|
|
|
``m.room.history_visibility`` events which change the ``history_visibility``
|
|
|
|
|
from ``world_readable`` to ``joined`` *or* from ``joined`` to
|
|
|
|
|
``world_readable``, even if that user was not a member of the room.)
|
|
|
|
|
|
|
|
|
|
Likewise, for the user's own ``m.room.member`` events, the user should be
|
|
|
|
|
allowed to see the event if their ``membership`` before *or* after the event
|
|
|
|
|
would allow them to see it. (For example, a user can always see
|
|
|
|
|
``m.room.member`` events which set their membership to ``join``, or which
|
|
|
|
|
change their membership from ``join`` to any other value, even if
|
|
|
|
|
``history_visibility`` is ``joined``.)
|
|
|
|
|
|
|
|
|
|
Security considerations
|
|
|
|
|
-----------------------
|
|
|
|
|
|
|
|
|
|
The default value for ``history_visibility`` is ``shared`` for
|
|
|
|
|
backwards-compatibility reasons. Clients need to be aware that by not setting
|
|
|
|
|
this event they are exposing all of their room history to anyone in the room.
|
|
|
|
|
|
